OAuth2 invalid_grant Error — Token Refresh and Authorization Code Failures
About OAuth2 invalid_grant Error
Fix OAuth2 invalid_grant error responses when exchanging authorization codes or refreshing access tokens fails due to expired, revoked, or misused credentials. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.
Here are the key things to understand: The invalid_grant error is returned when an authorization grant (code or refresh token) is invalid or expired. Authorization codes are single-use and typically expire within 10 minutes of issuance. Refresh tokens can be revoked by the user, expired by the server, or invalidated by password changes. This is one of the most common OAuth2 errors in production applications. Google, Microsoft, and other providers may revoke refresh tokens after 6 months of inactivity. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.
The most common reasons this occurs include: Authorization code used more than once (codes are single-use by spec). Authorization code expired before being exchanged for tokens (typically 10-minute window). Refresh token revoked by user changing password or revoking app access. Redirect URI in token exchange does not exactly match the one used in authorization request. Identifying the root cause is the first step toward finding the right solution.
To resolve this, follow these recommended steps: Ensure authorization codes are exchanged immediately and only once — never store or reuse them. Implement automatic re-authorization flow when refresh token is rejected with invalid_grant. Verify the redirect_uri parameter exactly matches between authorization and token exchange requests. Store refresh tokens securely and implement token rotation when the provider supports it. Handle the error gracefully in your UI — redirect users to re-authenticate with a clear message. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.
This article is part of our HTTP Status Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.
Quick Answer
Why does my refresh token suddenly stop working?
Providers revoke refresh tokens when: the user changes their password, the user revokes app access, the token has not been used for an extended period (6 months for Google), or the app's client secret has changed.
Overview
Fix OAuth2 invalid_grant error responses when exchanging authorization codes or refreshing access tokens fails due to expired, revoked, or misused credentials.
Key Details
- The invalid_grant error is returned when an authorization grant (code or refresh token) is invalid or expired
- Authorization codes are single-use and typically expire within 10 minutes of issuance
- Refresh tokens can be revoked by the user, expired by the server, or invalidated by password changes
- This is one of the most common OAuth2 errors in production applications
- Google, Microsoft, and other providers may revoke refresh tokens after 6 months of inactivity
Common Causes
- Authorization code used more than once (codes are single-use by spec)
- Authorization code expired before being exchanged for tokens (typically 10-minute window)
- Refresh token revoked by user changing password or revoking app access
- Redirect URI in token exchange does not exactly match the one used in authorization request
Steps
- 1Ensure authorization codes are exchanged immediately and only once — never store or reuse them
- 2Implement automatic re-authorization flow when refresh token is rejected with invalid_grant
- 3Verify the redirect_uri parameter exactly matches between authorization and token exchange requests
- 4Store refresh tokens securely and implement token rotation when the provider supports it
- 5Handle the error gracefully in your UI — redirect users to re-authenticate with a clear message